June 10, 2019

Even its most optimistic
users would have to concede that it’s been a bracing few weeks for anyone who
relies on Microsoft’s Remote Desktop Protocol (RDP).

The latest round
of bad news emerged last week when Morphus Labs’ researcher Renato Marinho
announced the discovery
of an aggressive brute force campaign against 1.5 million RDP servers by a
botnet called ‘GoldBrute’.

That came hot on
the heels of Microsoft’s urgent warning in May about the risk of a dangerous
“wormable” vulnerability called BlueKeep (CVE-2019-0708)
in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP.

By the time the
US National Security Agency (NSA) chipped in with its own
mildly apocalyptic BlueKeep alert on 4 June 2019, it was clear they
believed something unpleasant might be brewing.

It’s behind
you

The mega-attack
exploiting BlueKeep has yet to materialize, but what users have got in the
meantime is GoldBrute, a much more basic threat that targets the problem of RDP
servers left exposed to the internet.

A search on
Shodan puts the number of servers in this vulnerable state at 2.4 million,
1,596,571 of which, Morphus discovered, had been subjected to an attempted
brute force attack targeting weak credentials.

Cryptocurrency
users narrowly escaped losing all their funds last week after an attacker
poisoned a digital wallet with malicious code that stole their blockchain
access details.

The attacker
injected malicious code into Agama, a cryptocurrency wallet created by Komodo.
If successful, they could have stolen around $13m of Komodo’s KMD
cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by
quick action from both Komodo and software repository npm.

On 8 March 2019,
the sneaky developer published what appeared to be a useful update to a
software component used by the Agama wallet. The attacker, who called
themselves ‘sawlysawly’, posted the update on the GitHub developer
collaboration website where Komodo hosts its source code.

Open source
developers like to reuse each other’s’ software rather than reinventing the
wheel. When a software application relies on a third party to do something,
it’s called a dependency. The third-party building blocks on which applications
depend are known as packages or modules, and people publish them in central
repositories for developers to find. One of those repositories is npm. Started
in 2009, it deals with JavaScript packages.

A npm package
called electron-native-notify was introduced by sawlysawly as a
dependency in the Agama wallet, meaning that the new version of the wallet
would use that code.

At the time of
the commit, the version of electron-native-notify (1.1.5) on npm was legit, but
15 days after making the commit, the npm package was updated to 1.1.6, which
included a malicious payload. The next version of Agama was released on 13
April 2019.

The change in electron-native-notify
enabled the attacker to steal the wallet seed, which is a secret phrase that
enables users to retrieve their coins using any wallet.

More than two and
a half years after the fact, the Feds are finally going to investigate the
failure of voter registration software – from a ­company that had been
cyber-attacked by Russians just days before the November 2016 US presidential
election – in the swing state of North Carolina.

Politico
has reviewed a document and spoken to somebody with knowledge of the episode,
both of which suggest that the vendor, VR Systems, “inadvertently opened a
potential pathway for hackers to tamper with voter records in North Carolina on
the eve of the presidential election.”

Specifically, VR
Systems used remote-access software to connect for several hours to a central
computer in Durham County so as to troubleshoot problems with the company’s
voter registration software. In fact, election officials would come to find out
that this was common practice, according to Politico’s source, in spite of the
fact that election technology security experts agree that it opens up systems
to hacking.

Election Day
2016: Dunham County

When the polls
opened in Dunham County on 8 November 2016, election officials discovered that
the laptop computers used by precincts to verify voter registration had
malfunctioned. They were forced to cross-check voter registration with
old-fashioned paper poll registries and to extend voting hours.

It was
suspicious, and it wasn’t an isolated incident. Five or six precincts reported
the same problem with the computerized check-in system from VR Systems, a
Florida-based e-voting vendor with customers in eight states. The county, which
leans heavily to the Democrats, had delivered 75% of its votes to Barack Obama
during both of his presidential runs, and North Carolina was considered a key
swing state in the 2016 presidential election.

You’re sitting at
your computer when it occurs to you that you really need to buy more tube
socks, so you click yourself on over to Tube-Socks-R-Us.com and fill your cart
full of socks.

But wait, what’s
this? You’re being asked for another sign of authentication before you can
check out? Why, that means you have to get up! You need to go get your phone
for that one-time PIN! And that darn phone is all the way over there!
Well, just forget it, you say, and yet another abandoned cart gets added to the
heaps of can’t-be-bothered purchase exhaustion that’s (reportedly) the stuff of
online merchant nightmares.

Well, that’s the
dystopian, dys-profitable e-commerce future envisioned by Stripe, at any rate.
Stripe, maker of online payment technology, recently commissioned research from
451 Research. Based on input from 500 businesses and 1,000 consumers, 451
Research concluded
that the EU’s online economy risks losing €57 billion (US $64.6 billion) when Strong Customer
Authentication (SCA) goes into effect on 14 September 2019 and ushers what
will potentially be forget-the-socks-inducing friction into the checkout
process.

SCA is all about
protecting consumers by clamping down on fraud. One of the new requirements of
the second
Payment Services Directive (PSD2) that was passed by the
EUin November
2015, it involves introducing additional authentication into online checkout.
That can be as simple as a one-time PIN code generated by, say, a text message,
by a code generator with an authenticator app such as Sophos
Authenticator, or it could be fingerprint confirmation on those devices
that support it.

Researchers have discovered
another dangerous security hole hiding in recent, unpatched versions of the
popular mail server, Exim.

Uncovered in May
2019 by security company Qualys, the flaw (CVE-2019-10149) affects Exim
versions 4.87 to 4.91 inclusive running on several Linux distros, the latter released
as far back as 15 April 2018. The next release, version 4.92, fixed the problem
on 10 February 2019 although that wasn’t realized by the software’s maintainers
at the time.

The low down:
anyone still running a version from April 2016 to earlier this year will be
vulnerable. Versions before that might also be vulnerable if EXPERIMENTAL_EVENT
is enabled manually, Qualys’s advisory warns.

The issue is
described as an RCE, which in this case stands for Remote Command
Execution, not to be confused with the more often-cited Remote Code Execution.

As the term
implies, what that means is that an attacker could remotely execute arbitrary
commands on a target system without having to upload malicious software.

The attack is
easy from another system on the same local network. Pulling off the same from a
system outside the network would require an attacker to…

Keep a
connection to the vulnerable server open for 7 days (by transmitting one byte
every few minutes). However, because of the extreme complexity of Exim’s code,
we cannot guarantee that this exploitation method is unique; faster methods may
exist.

Remote
exploitation is also possible when Exim is using any one of several non-default
configurations itemized in the Qualys advisory.

New research
shows that most vulnerabilities aren’t exploited and those that are tend to
have a high CVSS score (awarded on the basis of how dangerous and easy to
exploit the vulnerability is). So, not surprisingly, the most easily exploited
flaws are the ones exploited most frequently.

What’s more
surprising is that there’s apparently no relationship between the
proof-of-concept (PoC) exploit code being published publicly online and the
start of real-world attacks.

The numbers: the
researchers collected 4,183 unique security flaws used in the wild between 2009
and 2018. That’s less than half of the 9,726 discoveries of exploit code that
had been written and posted online.

Those numbers
come from a study in which a team of researchers from Cyentia, Virginia Tech,
and the RAND Corporation took a look at how to balance the pluses and minuses
of two competing strategies for tackling vulnerabilities.

What’s the
best way to herd cats?

Fixing them all
would get you great coverage, but that’s a lot of time and resources spent on
sealing up low-risk vulnerabilities. It would be more efficient to concentrate
on patching just some high-risk vulnerabilities, but that approach leaves
organizations open to whatever vulnerabilities they didn’t prioritize.

How do you know
which vulnerabilities are worth fixing? The researchers sought to figure that
out by using data collected from a multitude of sources, along with machine
learning to build and then compare a series of remediation strategies to see
how they perform with regards to the tradeoff between coverage vs. efficiency.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.